Wednesday, September 11, 2013

IE 10 Prompting for credentials - Windows Authentication

Today I responded to a customer who has an internal intranet. The customer has no issues accessing the intranet page from IE7, IE8, or IE9 - However when upgrading to Internet Explorer 10, the users are now getting prompted for username and password using windows authentication even though the user account the user is logged in with has access to the website hosted on Internet Information Services (IIS).

The following screenshot shows the logon authentication prompt presented from Internet Explorer 10 when attempting to access the organisations internal intranet.

Internet Explorer 10 by default allows credentials to automatically pass through to all "intranet" pages, however "internet" pages do not pass through credentials for security reasons. To see if Internet Explorer is treating the page as an "intranet" page or "internet" page, right click on the page error message (depending if you typed your credentials in or not) and click properties.

In the properties section of the page it will display what zone is currently configured. As you see below, Internet Explorer is treating the "intranet" page for this customer as an "internet" page and hence the user is getting prompted.

Now one fix for this problem is to simply go to Internet Options, Internet, Custom Level and set the User Authentication --> Logon to "Automatically logon with current user name and password". Whilst this will solve the problem it will lead to credentials of the current logged in user to pass over the Internet, not such a good idea!

A better fix is to configure your "intranet" page which is being treated as an "internet" page as an "intranet" page within Internet Explorer. This can be done by going to Internet Options, Local Intranet, Sites, Advanced.

In the advanced page add your local intranet page.

Problem fixed - Internet Explorer will no longer prompt for Authentication when accessing the local Intranet.

Applying fix to all computers

Now you want to apply this configuration to all computers on your domain. This can be done using Group Policy using the "Site to Zone Assignment List" group policy setting. This setting is located under:

I'm assuming this will fix one of our user's access troubles. She has IE 10, and it works fine for everyone on IE 9 and IE 11 (as far as I know). We may roll out the specific site through group policy. Thanks for the idea!

I rolled this out as a group policy domain-wide, but one user is still being prompted for credentials in IE and is getting flat out denied in Chrome. This is just one user. His internet settings do show that they are maintained by the group policy and the site is located in the intranet zone. Strange how it works for everybody but him.

For Chrome, you may try editing the registry under HKEY_LOCAL_MACHINE | SOFTWARE | Policies. Under Policies, create a key called Google and then a key under Google called Chrome and then a string for Chrome called AuthNegotiateDelegateWhitelist. So the full item will be HKEY_LOCAL_MACHINE | SOFTWARE | Policies | Google | Chrome with a REG_SZ (string) object under Chrome. Set the value of the string to your site. Note: some users report this makes Chrome unstable, so only try this as a last resort.

Bangalore web Zone is a web site design and website development company with considerable knowledge in developing web-site and using powerful digital marketing & enterprise growth strategies for our customers.We’re professionals when it comes to marketing and advertising and technology but more important we’re zealous about using our knowledge to make your brand much better.

This is very much great and hope fully nice blog. Every body can easily found her need able information. I am visit first time but I fond many use full article. I will back again when get time.great post.Never knew this, thanks for letting me know.

I have an issue where an a single intranet site prompts for credentials, but only over direct access, lan is fine. It started after we changed the site to a fqdn. After research we discovered that its profile related and is resolved by deleting the profile. I'm looking for a registry or file location that may be causing this. Any suggestions

We are the proficient web development company in India, that offers an extensive range of services like web application development, website designing, e-commerce solutions.Web Development in India|SEO Company India

Great job!! your work is amazing. your working process is wonderful. I make you feel relaxed, well cared and extra special.I highly recommend this place. Thanks! You guys are the best!Networking Security Services Bangalore